Sun Java System Portal Server Secure Remote Access 6 2005Q1 °ü¸® ¼³¸í¼ |
13Àå
SSL °¡¼Ó±â ±¸¼ºÀÌ Àå¿¡¼´Â Sun Java¢â System Portal Server Secure Remote Access¿¡ ´Ù¾çÇÑ °¡¼Ó±â¸¦ ±¸¼ºÇÏ´Â ¹æ¹ýÀ» ¼³¸íÇÕ´Ï´Ù.
ÀÌ Àå¿¡¼´Â ´ÙÀ½ ÁÖÁ¦¸¦ ´Ù·ì´Ï´Ù.
°³¿ä¿ÜºÎ °¡¼Ó±â´Â ¼¹ö CPUÀÇ SSL ±â´ÉÀ» ºÐ´ãÇÔÀ¸·Î½á CPU°¡ ´Ù¸¥ ÀÛ¾÷À» ¼öÇàÇϵµ·Ï ÇÏ¿© SSL Æ®·£Àè¼ÇÀÇ Ã³¸® ¼Óµµ¸¦ ³ôÀÌ´Â Àü¿ë Çϵå¿þ¾î º¸Á¶ ÇÁ·Î¼¼¼ÀÔ´Ï´Ù.
Sun Crypto Accelerator 1000Sun¢â Crypto Accelerator 1000 (Sun CA1000) º¸µå´Â ¾ÏÈ£È ÄÚÇÁ·Î¼¼¼·Î ÀÛµ¿ÇÏ¿© °ø¿ë Å°¿Í ´ëĪ ¾Ïȣȸ¦ °¡¼ÓÈÇϴ ªÀº ÇüÅÂÀÇ PCI º¸µåÀÔ´Ï´Ù. ÀÌ Á¦Ç°¿¡´Â ¿ÜºÎ ÀÎÅÍÆäÀ̽º°¡ ¾ø½À´Ï´Ù. ÀÌ º¸µå´Â ³»ºÎ PCI ¹ö½º ÀÎÅÍÆäÀ̽º¸¦ ÅëÇØ È£½ºÆ®¿Í Åë½ÅÇÕ´Ï´Ù. ÀÌ º¸µå´Â eCommerce ÀÀ¿ë ÇÁ·Î±×·¥¿¡¼ º¸¾È ÇÁ·ÎÅäÄÝÀ» À§ÇÑ ´Ù¾çÇÑ °è»ê Áý¾àÀû ¾ÏÈ£È ¾Ë°í¸®ÁòÀ» °¡¼ÓÈÇϱâ À§ÇÑ ¸ñÀûÀ¸·Î »ç¿ëµË´Ï´Ù.
RSA [7] ¹× Triple-DES (3DES) [8]¿Í °°Àº ´Ù¼öÀÇ ÇÙ½É ¾ÏÈ£È ±â´ÉÀ» ÀÀ¿ë ÇÁ·Î±×·¥¿¡¼ Sun CA1000À¸·Î ºÐ´ã½ÃÄÑ º´·Ä·Î ¼öÇàÇÒ ¼ö ÀÖ½À´Ï´Ù. ±×·¯¸é CPU°¡ ÀÚÀ¯·Ó°Ô ´Ù¸¥ ÀÛ¾÷À» ¼öÇàÇÒ ¼ö ÀÖ¾î SSL Æ®·£Àè¼ÇÀÇ Ã³¸® ¼Óµµ°¡ Áõ°¡ÇÕ´Ï´Ù.
Crypto Accelerator 1000 »ç¿ë
Portal Server Secure Remote Access°¡ ¼³Ä¡µÇ¾î ÀÖ°í °ÔÀÌÆ®¿þÀÌ ¼¹ö ÀÎÁõ¼ (Á÷Á¢ ¼¸í ¶Ç´Â CA¿¡¼ ¹ßÇà) °¡ ¼³Ä¡µÇ¾ú´ÂÁö È®ÀÎÇÕ´Ï´Ù. ÀÚ¼¼ÇÑ ³»¿ëÀº 7Àå, "ÀÎÁõ¼"¸¦ ÂüÁ¶ÇϽʽÿÀ.
Ç¥ 13-1¿¡¼´Â SSL °¡¼Ó±â¸¦ ¼³Ä¡Çϱâ Àü¿¡ ÇÊ¿äÇÑ Á¤º¸¸¦ ÃßÀûÇÏ´Â ÀÏÀ» µ½´Â Á¡°Ë ¸ñ·ÏÀ̸ç Crypto Accelerator 1000 ¸Å°³ º¯¼ö¿Í °ªÀ» ³ª¿ÇÕ´Ï´Ù.
Crypto Accelerator 1000 ±¸¼º
Crypto Accelerator 1000À» ±¸¼ºÇÏ·Á¸é
- »ç¿ë ¼³¸í¼ÀÇ Áöħ¿¡ µû¶ó Çϵå¿þ¾î¸¦ ¼³Ä¡ÇÕ´Ï´Ù. ÂüÁ¶:
http://www.sun.com/products-n-solutions/hardware/docs/pdf/816-2450-11.pdf
- CD¿¡¼ ´ÙÀ½ ÆÐÅ°Áö¸¦ ¼³Ä¡ÇÕ´Ï´Ù.
SUNWcrypm, SUNWcrypu, SUNWcrysu, SUNWdcar, SUNWcrypr, SUNWcrysl, SUNWdcamn, SUNWdcav
- ´ÙÀ½ ÆÐÄ¡¸¦ ¼³Ä¡ÇÕ´Ï´Ù. (http://sunsolve.sun.com¿¡¼ ¾òÀ» ¼ö ÀÖ½À´Ï´Ù.)
110383-01, 108528-05, 112438-01
- pk12util ¹× modutil µµ±¸°¡ ÀÖ´ÂÁö È®ÀÎÇϽʽÿÀ.
ÀÌ µµ±¸´Â /usr/sfw/bin ¾Æ·¡¿¡ ¼³Ä¡µË´Ï´Ù. /usf/sfw/bin µð·ºÅ丮¿¡ µµ±¸°¡ ¾ø´Â °æ¿ì¿¡´Â Sun Java System ¹èÆ÷ ¸Åü¿¡¼ SUNWtlsu ÆÐÅ°Áö¸¦ ¼öµ¿À¸·Î Ãß°¡ÇØ¾ß ÇÕ´Ï´Ù.
Solaris_[sparc/x86]/Product/shared_components/
- ½½·Ô ÆÄÀÏÀ» ¸¸µì´Ï´Ù.
vi /etc/opt/SUNWconn/crypto/slots
±×¸®°í ÆÄÀÏÀÇ Ã³À½ÀÌÀÚ À¯ÀÏÇÑ ¶óÀÎÀ¸·Î "crypta@sra" ¸¦ ³Ö½À´Ï´Ù.
- ¿µ¿ªÀ» ¸¸µé°í ¼³Á¤ÇÕ´Ï´Ù.
- »ç¿ëÀÚ¸¦ ¸¸µì´Ï´Ù.
- ¸¸µç »ç¿ëÀÚ·Î ·Î±×ÀÎÇÕ´Ï´Ù.
secadm{root@sra}> login user=crypta
Password:
secadm{crypta@sra}> show key
No keys exist for this user.
- Sun Crypto ¸ðµâÀ» ·ÎµåÇÕ´Ï´Ù.
ȯ°æ º¯¼ö LD_LIBRARY_PATH´Â /usr/lib/mps/secv1/À» °¡¸®ÄÑ¾ß ÇÕ´Ï´Ù.
À¯Çü:
modutil -dbdir /etc/opt/SUNWps/cert/default -add "Sun Crypto Module" -libfile /opt/SUNWconn/crypto/lib/libpkcs11.so
´ÙÀ½ ¸í·ÉÀ» »ç¿ëÇÏ¿© ÀÌ ¸ðµâÀÌ ·ÎµåµÇ¾ú´ÂÁö È®ÀÎÇÕ´Ï´Ù.
modutil -list -dbdir /etc/opt/SUNWps/cert /default
- °ÔÀÌÆ®¿þÀÌ ÀÎÁõ¼¿Í Å°¸¦ "Sun Crypto Module"·Î ³»º¸³À´Ï´Ù.
ȯ°æ º¯¼ö LD_LIBRARY_PATH´Â /usr/lib/mps/secv1/À» °¡¸®ÄÑ¾ß ÇÕ´Ï´Ù.
À¯Çü:
pk12util -o servercert.p12 -d /etc/opt/SUNWps/cert/default -n server-cert
pk12util -i servercert.p12 -d /etc/opt/SUNWps/cert/default -h "crypta@sra"
ÀÌÁ¦ show key ¸í·ÉÀ» ½ÇÇàÇÕ´Ï´Ù.
secadm{crypta@sra}> show key
ÀÌ »ç¿ëÀÚ¿¡°Ô 2°³ÀÇ Å°°¡ ³ªÅ¸³ª¾ß ÇÕ´Ï´Ù.
- /etc/opt/SUNWps/cert/default/.nickname ÆÄÀÏ¿¡¼ º°¸íÀ» º¯°æÇÕ´Ï´Ù.
vi /etc/opt/SUNWps/cert/default/.nickname
server-cert¸¦ crypta@sra:server-cert·Î ±³Ã¼ÇÕ´Ï´Ù.
- °¡¼ÓÈ¿ë ¾ÏÈ£¸¦ È°¼ºÈÇÕ´Ï´Ù.
SUN CA1000Àº RSA ±â´ÉÀ» °¡¼ÓÈÇÏÁö¸¸ DES¿Í 3DES ¾ÏÈ£¿¡ ´ëÇÑ °¡¼Ó¸¸ Áö¿øÇÕ´Ï´Ù.
- °¡¼Ó±â¸¦ »ç¿ëÇϵµ·Ï /etc/opt/SUNWps/platform.conf.gateway-profile-nameÀ» ¼öÁ¤ÇÕ´Ï´Ù.
gateway.enable.accelerator=true
- Å͹̳Πâ¿¡¼ °ÔÀÌÆ®¿þÀ̸¦ ´Ù½Ã ½ÃÀÛÇÕ´Ï´Ù.
portal-server-install-root/SUNWps/bin/gateway -n gateway-profile-name start
Sun Crypto Accelerator 4000Sun¢â Crypto Accelerator 4000 º¸µå´Â Sun ¼¹ö¿¡¼ IPsec ¹× SSL (´ëĪ ¹× ºñ´ëĪ ¸ðµÎ) ¿¡ ´ëÇÑ ¾ÏÈ£È Çϵå¿þ¾î °¡¼ÓÀ» Áö¿øÇÏ´Â ±â°¡ºñÆ® ÀÌ´õ³Ý ±â¹Ý ³×Æ®¿öÅ© ÀÎÅÍÆäÀ̽º Ä«µåÀÔ´Ï´Ù.
¾ÏȣȵÇÁö ¾ÊÀº ³×Æ®¿öÅ© Æ®·¡ÇÈÀ» À§ÇÑ Ç¥ÁØ ±â°¡ºñÆ® ÀÌ´õ³Ý ³×Æ®¿öÅ© Ä«µå·Î ÀÛµ¿ÇÏ´Â ¿Ü¿¡ ÀÌ º¸µå¿¡´Â ¾ÏÈ£È IPsec Æ®·¡ÇÈ¿¡ ³ôÀº ó¸® ¼Óµµ¸¦ Áö¿øÇÒ ¾ÏÈ£ Çϵå¿þ¾î°¡ Æ÷ÇԵǾî ÀÖ½À´Ï´Ù.
Crypto Accelerator 4000 º¸µå´Â Çϵå¿þ¾î¿Í ¼ÒÇÁÆ®¿þ¾î ¸ðµÎ¿¡¼ ¾ÏÈ£È ¾Ë°í¸®ÁòÀ» °¡¼ÓÈÇÕ´Ï´Ù. ¾ÏÈ£ DES ¹× 3DES¿¡ ´ëÇÑ ´ë·® ¾Ïȣȵµ Áö¿øÇÕ´Ï´Ù.
Crypto Accelerator 4000 »ç¿ë
SRA°¡ ¼³Ä¡µÇ¾î ÀÖ°í °ÔÀÌÆ®¿þÀÌ ¼¹ö ÀÎÁõ¼ (Á÷Á¢ ¼¸í ¶Ç´Â CA¿¡¼ ¹ßÇà) °¡ ¼³Ä¡µÇ¾ú´ÂÁö È®ÀÎÇÕ´Ï´Ù. ´ÙÀ½ Á¡°Ë ¸ñ·ÏÀ¸·Î SSL °¡¼Ó±â¸¦ ¼³Ä¡Çϱâ Àü¿¡ ÇÊ¿äÇÑ Á¤º¸¸¦ ½±°Ô È®ÀÎÇÒ ¼ö ÀÖ½À´Ï´Ù.
Ç¥ 13-2¿¡ Crypto Accelerator 4000 ¸Å°³ º¯¼ö¿Í ±× °ªÀÌ ³ª¿µÇ¾î ÀÖ½À´Ï´Ù.
Crypto Accelerator 4000 ±¸¼º
Crypto Accelerator 4000À» ±¸¼ºÇÏ·Á¸é
- »ç¿ë ¼³¸í¼ÀÇ Áöħ¿¡ µû¶ó Çϵå¿þ¾î¿Í ¼ÒÇÁÆ®¿þ¾î ÆÐÅ°Áö¸¦ ¼³Ä¡ÇÕ´Ï´Ù. ÂüÁ¶:
http://www.sun.com/products-n-solutions/hardware/docs/pdf/816-2450-11.pdf
- ´ÙÀ½ ÆÐÄ¡¸¦ ¼³Ä¡ÇÕ´Ï´Ù. (http://sunsolve.sun.com¿¡¼ ¾òÀ» ¼ö ÀÖ½À´Ï´Ù.) 114795
- certutil, pk12util ¹× modutil µµ±¸°¡ ÀÖ´ÂÁö È®ÀÎÇϽʽÿÀ.
ÀÌ µµ±¸´Â /usr/sfw/bin ¾Æ·¡¿¡ ¼³Ä¡µË´Ï´Ù.
/usf/sfw/bin µð·ºÅ丮¿¡¼ µµ±¸¸¦ »ç¿ëÇÒ ¼ö ¾ø´Â °æ¿ì¿¡´Â
Sun Java System ¹èÆ÷ ¸Åü¿¡¼ ¼öµ¿À¸·Î SUNWtlsu ÆÐÅ°Áö¸¦ Ãß°¡ÇØ¾ß ÇÕ´Ï´Ù.
Solaris_[sparc/x86]/Product/shared_components/
- º¸µå¸¦ ÃʱâÈÇÕ´Ï´Ù.
/opt/SUNWconn/bin/vcadm µµ±¸¸¦ ½ÇÇàÇÏ¿© ¾ÏÈ£È º¸µå¸¦ ÃʱâÈÇÏ°í ´ÙÀ½ °ªÀ» ¼³Á¤ÇÕ´Ï´Ù.
Ãʱ⠺¸¾È °ü¸® À̸§: sec_officer
Å° ÀúÀå¼Ò À̸§: sra-keystore
FIPS 140-2 ¸ðµå¿¡¼ ½ÇÇà: No
- »ç¿ëÀÚ¸¦ ¸¸µì´Ï´Ù.
vcaadm{vca0@localhost, sec_officer}> create user
»õ »ç¿ëÀÚ À̸§: crypta
»õ »ç¿ëÀÚ ºñ¹Ð¹øÈ£ ÀÔ·Â:
ºñ¹Ð¹øÈ£ È®ÀÎ:
»ç¿ëÀÚ crypta°¡ ¼º°øÀûÀ¸·Î ¸¸µé¾îÁ³½À´Ï´Ù.
- Å° ÀúÀå¼Ò¿¡ ÅäÅ«À» ¸ÅÇÎÇÕ´Ï´Ù.
vi /opt/SUNWconn/cryptov2/tokens
±×¸®°í ÆÄÀÏ¿¡ sra-keystore¸¦ Ãß°¡ÇÕ´Ï´Ù.
- ´ë·® ¾ÏÈ£ÈÀÇ »ç¿ëÀ» ¼³Á¤ÇÕ´Ï´Ù.
touch /opt/SUNWconn/cryptov2/sslreg
- Sun Crypto ¸ðµâÀ» ·ÎµåÇÕ´Ï´Ù.
ȯ°æ º¯¼ö LD_LIBRARY_PATH´Â /usr/lib/mps/secv1/À» °¡¸®ÄÑ¾ß ÇÕ´Ï´Ù.
À¯Çü:
modutil -dbdir /etc/opt/SUNWps/cert/default -add "Sun Crypto Module" -libfile /opt/SUNWconn/cryptov2/lib/libvpkcs11.so
´ÙÀ½ ¸í·ÉÀ» »ç¿ëÇÏ¿© ÀÌ ¸ðµâÀÌ ·ÎµåµÇ¾ú´ÂÁö È®ÀÎÇÒ ¼ö ÀÖ½À´Ï´Ù.
modutil -list -dbdir /etc/opt/SUNWps/cert /default
- °ÔÀÌÆ®¿þÀÌ ÀÎÁõ¼¿Í Å°¸¦ "Sun Crypto Module"·Î ³»º¸³À´Ï´Ù.
ȯ°æ º¯¼ö LD_LIBRARY_PATH´Â /usr/lib/mps/secv1/À» °¡¸®ÄÑ¾ß ÇÕ´Ï´Ù.
pk12util -o servercert.p12 -d /etc/opt/SUNWps/cert/default -n server-cert
pk12util -i servercert.p12 -d /etc/opt/SUNWps/cert/default -h "sra-keystore"
´ÙÀ½ ¸í·ÉÀ» »ç¿ëÇÏ¿© Å°°¡ ³»º¸³»Á³´ÂÁö È®ÀÎÇÒ ¼ö ÀÖ½À´Ï´Ù.
certutil -K -h "sra-keystore" -d /etc/opt/SUNWps/cert/default
- /etc/opt/SUNWps/cert/default/.nickname ÆÄÀÏ¿¡¼ º°¸íÀ» º¯°æÇÕ´Ï´Ù.
vi /etc/opt/SUNWps/cert/default/.nickname
server-cert¸¦ sra-keystore:server-cert·Î ±³Ã¼ÇÕ´Ï´Ù.
- °¡¼ÓÈ¿ë ¾ÏÈ£¸¦ È°¼ºÈÇÕ´Ï´Ù.
ÀÚ¼¼ÇÑ ³»¿ëÀº SSL ¾ÏÈ£ ¼±Åà »ç¿ë¸¦ ÂüÁ¶ÇϽʽÿÀ.
- Å͹̳Πâ¿¡¼ °ÔÀÌÆ®¿þÀ̸¦ ´Ù½Ã ½ÃÀÛÇÕ´Ï´Ù.
portal-server-install-root/SUNWps/bin/gateway -n gateway-profile-name start
Å° ÀúÀå¼Ò ºñ¹Ð¹øÈ£¸¦ ÀÔ·ÂÇ϶ó´Â °ÔÀÌÆ®¿þÀÌ ÇÁ·ÒÇÁÆ®°¡ Ç¥½ÃµË´Ï´Ù.
"sra-keystore":crypta:crytpa-password¿¡ ´ëÇÑ ºñ¹Ð¹øÈ£ ¶Ç´Â PINÀ» ÀÔ·ÂÇÕ´Ï´Ù.
¿ÜºÎ SSL ÀåÄ¡ ¹× ÇÁ·Ï½Ã °¡¼Ó±â¿¸° ¸ðµå¿¡¼ ¿ÜºÎ SSL ÀåÄ¡¸¦ Secure Remote Access (SRA) Àü¹æ¿¡¼ ½ÇÇàÇÒ ¼ö ÀÖ½À´Ï´Ù. ÀÌ ÀåÄ¡´Â Ŭ¶óÀ̾ðÆ®¿Í SRA »çÀÌ¿¡ SSL ¸µÅ©¸¦ Á¦°øÇÕ´Ï´Ù.
¿ÜºÎ SSL ÀåÄ¡ °¡¼Ó±â »ç¿ë
¿ÜºÎ SSL ÀåÄ¡ °¡¼Ó±â »ç¿ë
- SRA°¡ ¼³Ä¡µÇ¾î ÀÖ°í °ÔÀÌÆ®¿þÀÌ°¡ ¿¸° ¸ðµå (HTTP ¸ðµå) ¿¡¼ ½ÇÇàµÇ´ÂÁö È®ÀÎÇÕ´Ï´Ù.
- HTTP ¿¬°áÀ» »ç¿ëÇÕ´Ï´Ù. HTTP ±âº» ÀÎÁõ »ç¿ë¸¦ ÂüÁ¶ÇϽʽÿÀ.
Ç¥ 13-3Àº ¿ÜºÎ SSL ÀåÄ¡¿Í ÇÁ·Ï½Ã °¡¼Ó±â ¸Å°³ º¯¼ö ¹× °ªÀ» ³ªÅ¸³À´Ï´Ù.
Ç¥ 13-3 ¿ÜºÎ SSL ÀåÄ¡ ¹× ÇÁ·Ï½Ã °¡¼Ó±â Á¡°Ë ¸ñ·Ï
¸Å°³ º¯¼ö
°ª
SRA ÀνºÅϽº
±âº»°ª
°ÔÀÌÆ®¿þÀÌ ¸ðµå
http
°ÔÀÌÆ®¿þÀÌ Æ÷Æ®
880
¿ÜºÎ ÀåÄ¡/ÇÁ·Ï½Ã Æ÷Æ®
443
¿ÜºÎ SSL ÀåÄ¡ °¡¼Ó±â ±¸¼º
¿ÜºÎ SSL ÀåÄ¡ °¡¼Ó±â¸¦ ±¸¼ºÇÏ·Á¸é
- »ç¿ë ¼³¸í¼ÀÇ Áöħ¿¡ µû¶ó Çϵå¿þ¾î¿Í ¼ÒÇÁÆ®¿þ¾î ÆÐÅ°Áö¸¦ ¼³Ä¡ÇÕ´Ï´Ù.
- ÇØ´çÇÏ´Â °æ¿ì ÇÊ¿äÇÑ ÆÐÄ¡¸¦ ¼³Ä¡ÇÕ´Ï´Ù.
- HTTP¸¦ »ç¿ëÇϵµ·Ï °ÔÀÌÆ®¿þÀÌ ÀνºÅϽº¸¦ ±¸¼ºÇÕ´Ï´Ù.
- platform.conf ÆÄÀÏ¿¡ ´ÙÀ½ °ªÀ» ÀÔ·ÂÇÕ´Ï´Ù.
gateway.enable.customurl=true
gateway.enable.accelerator=true
gateway.httpurl=https://external-device-URL:port-number
- µÎ °¡Áö ¹æ¹ýÀ¸·Î °ÔÀÌÆ®¿þÀÌ ¾Ë¸²À» ±¸¼ºÇÒ ¼ö ÀÖ½À´Ï´Ù.
- SSL ÀåÄ¡/ÇÁ·Ï½Ã°¡ ÀÛµ¿ÇÏ°í ÀÖÀ¸¸ç °ÔÀÌÆ®¿þÀÌ Æ÷Æ®·Î Æ®·¡ÇÈÀ» ³Ñ±âµµ·Ï ±¸¼ºµÇ¾î ÀÖ´ÂÁö È®ÀÎÇÕ´Ï´Ù.
- Å͹̳Πâ¿¡¼ °ÔÀÌÆ®¿þÀ̸¦ ´Ù½Ã ½ÃÀÛÇÕ´Ï´Ù.
gateway-install-root/SUNWps/bin/gateway -n gateway-profile-name start